One of the first big data breaches to impact a college campus hit Ohio State University in 2010, involving the records of more than 700,000 people affiliated with the school. While there has never been evidence that records were actually stolen, the event was a wake-up call for Ohio State and other major universities, said Dave Kieffer, an information technology leader at Ohio State at the time of the breach.
The threat then was novel, but over the past decade, colleges have become more proactive in addressing such risks. Cybercriminals target colleges for a few reasons, said Kieffer, who is now a research vice president with the Tambellini Group, an IT consulting firm.
For one, the diversity of campus functions makes it challenging to build a comprehensive security program. Institutions also house a massive number of digital identities, making them a treasure trove for hackers. On campuses conducting research, intellectual property has also increasingly been targeted.
Aging IT infrastructure, which is common across campus, complicates the situation by making it harder to securely store or transmit data, said Jesse Beauman, the assistant vice chancellor for enterprise infrastructure at the University of North Carolina at Charlotte.
When the pandemic forced most colleges to move the bulk of classes and activities online last spring, it raised the level of cybersecurity risk created by these kinds of vulnerabilities. Although students and staff were distributed across the globe, cybersecurity systems had to be maintained.
Pandemic-era security risks
Security threats could appear minor. At Mt. Hood Community College, in Oregon, faculty and staff primarily use devices provided by the college, but as most employees began to work from home, they used more personal laptops, tablets and phones to do their jobs.
This became one of Mt. Hood's "biggest pain points" during the transition to remote operations, especially when it came to ensuring employees could access the college's internal systems through virtual private network (VPN) connections, Blake Brown, Mt. Hood's infrastructure manager, and Chris Neal, a cybersecurity specialist at the college, said in an email.
Two of the biggest risks to colleges' networks are unsecured WiFi connections and weak password management that leads to stolen login credentials.
Requiring VPN use took care of the need for a secure connection, but instituting safer login access was more challenging. The college launched a new multi-factor authentication solution, which was new to many Mt. Hood employees. Multi-factor authentication requires people to provide two or more pieces of information, such as a password and a code received through a text message (SMS), to gain access to a system. Its novelty meant Brown and Neal also had to do a fair amount of training and communicating about the change before it launched.
Schools are also made vulnerable by the use of unpatched and unsupported software and operating systems, such as Windows XP or Windows 7. This behavior has attracted a type of cyberattack called ransomware, in which attackers encrypt their target's files and demand payment to restore access. Ransomware attacks against higher education institutions doubled between 2019 and 2020, costing them $447,000 on average, according to one recent report. It is the No. 1 cyberthreat to universities, ahead of data breaches and data theft by nation-states, the report explains.
"Most ransomware attacks start with phishing, which targets users on any device and within any messaging application (email, SMS, and social media) that allows cybercriminals to send malicious links to unsuspecting users," said Hank Schless, senior manager for security solutions at cybersecurity firm Lookout, in an email. Clicking on the link or opening the attachment in a phishing email results in a malware download or stolen login credentials.
Data breaches have also focused on colleges in recent years. The technologies used during the pandemic for remote teaching, learning and managing daily operations have opened up new doors for cybercriminals, making schools even more vulnerable to their attacks, said Kashif Hafeez, senior director at security firm WhiteHat. Remote learning and working provides more chances to share sensitive information over unsecured networks, or to share sensitive data with unauthorized people. Data breaches aren't just caused by malicious outsiders, but also inadvertently by insiders who, for example, send a spreadsheet with student records in an unencrypted email, violating data privacy rules.
Nation-states, meanwhile, are often after research and intellectual property. But because these attacks can be on classified information, they are often withheld from public knowledge.
The full extent of the pandemic's impact on campus cybersecurity won't be apparent for some time, but there are signs higher education has been under attack.
Last spring, Michigan State University and the University of California, San Francisco's medical school were victims of ransomware attacks. A wide swath of institutions in the last year has dealt with hackers who infiltrated virtual classrooms with disruptive, and in some cases racist or pornographic, images. More recently, the Maricopa Community Colleges, in Arizona, extended spring break by a week to give officials time to address a cyberattack targeting its computer networks.
And the Federal Bureau of Investigation warned colleges in March of an increase in a specific type of ransomware attack aimed at education institutions in 12 U.S. states.
Reducing risk on campus
Cyberattacks are costly to colleges and to the stakeholders whose personal information is impacted. To improve security as institutions rely more on digital tools for teaching and learning, campus leadership should consider the following:
- The university is accountable when a security incident occurs, not IT or the cybersecurity team. Therefore, cybersecurity and risk management should be a concern for leadership, starting with the president and the governing board.
- IT budgets should consider ongoing expenses for upgrades to software, hardware and the network.
- A single person will have multiple digital identities due to unconnected internal campus networks. Consider network consolidation that decreases the number of identities, and implement identity and access management systems.
- Require multi-factor authentication for all network connections.
- Use data management programs that allow IT and security teams to better understand internal data — what you have, where it is and how it moves. The more you know your data, the better you can protect it.
- Institute data backup systems that aren't connected to your internal network. If there is a ransomware attack, you can use the backup to keep operations running.
- Remember that most students have grown up on computers and may not be sensitive to privacy and security concerns. Security awareness training should be required for all students, as well as faculty and staff.